Dataplace manages modern TIER III datacenters at multiple locations in the Netherlands. At these sites we co-locate large and not-so-large IT environments alike for a variety of different customers. Inspired by a clear philosophy, centred on reliability, efficiency, sustainability and continuity, our datacenters operate to accomplish our mission: to provide continuity and high-quality datacenter services 24/7. Some customers ask us for a data processing agreement. However, as we are not a processor of the personal data on your servers, we are unable to sign such an agreement. What we do is provide secure hosting for your servers. We explain this in the first section of this statement.
Under the General Data Protection Regulation, Dataplace is an independent controller for the processing of data about you, your employees and any suppliers, when you contact us, visit our website or when you or your employees require access to one of our datacenters. For further details, see the second section of this statement.
Colocation/Housing services: Dataplace is not a processor
Dataplace offers organisations the possibility to co-locate their servers at one of our four datacenters in the Netherlands. Dataplace cannot access the personal data stored on your servers. Dataplace does not make any back-ups, nor does it provide any updates or maintenance for the operating system or applications running on your servers. The fact that Dataplace hosts your servers and provides you with a (fast) internet connection does not mean that Dataplace is a processor within the meaning of Article 4(8) of the GDPR. The co-location services that Dataplace provides are a form of transmission; Dataplace enables you to house your systems at a safe and secure location and ensures that your server can exchange data via the internet. However, Dataplace has no influence whatsoever on the processing of the personal data on, originating from or sent to your equipment.
Technical and organisational security measures
Dataplace takes appropriate technical and organisational measures to secure your servers holding personal data against loss or any form of unlawful processing. Dataplace ensures that these measures can be considered as providing an appropriate level of security within the meaning of the GDPR.
Various technical and organisational measures have been implemented both because it is in our DNA to do so and to meet our certification (e.g. ISO 27001 and NEN 7510) requirements. To retain our certification, Dataplace is obliged to review the measures at scheduled, regular intervals.
Employees' duty of secrecy
Dataplace is aware that our customers' servers may hold highly secret sensitive privacy and proprietary data. For this reason, all (permanent and temporary) employees of Dataplace must sign a separate non-disclosure agreement on commencing employment with us. Furthermore, each employment contract includes a non-disclosure clause. Dataplace additionally updates its employees at scheduled, regular intervals on the importance of complying fully with our privacy and security policy.
Strict access policy
Dataplace observes a very strict access policy. Dataplace uses physical as well as digital access control, records who entered and left the building at what times, and checks these logfiles at regular intervals. Digital control measures include general camera monitoring, digital registration for occasional visits or the issuing of badges for structural access rights. All visitors must register at the access terminal. An access badge may be issued to regular visitors, subject to certain conditions.
Responding to data incidents
Dataplace registers all security incidents and deals with them according to a standard procedure. Adherence to registration and our response to security incidents are assessed at regular intervals. In addition, incidents are analysed as part of our commitment to continuously improving our organisation. As well as this being part of our policy, we are also obliged to do so under the terms of our ISO 27001 and NEN 7510 certification.
Dataplace will provide you, as our customer, with timely, correct and full information on relevant data incidents, to enable you in your role as controller to meet your legal obligations to notify any data breach to the Dutch Data Protection Authority and also to inform the people affected (the data subjects), where applicable.
Dataplace will inform the contact person of the subscription/contract of a potential data breach. It is your responsibility as controller to keep the name and contact details of your contact person up-to-date via the Dataplace customer portal.
Examples of data incidents include irreparable damage caused to hard disks, theft of data on servers following a physical intrusion or successful hacking into the datacenter or a catastrophe, such as fire in a datacenter.
Dataplace will endeavour to provide you immediately, and in any event within 48 hours, with all the information which you need to make a complete notification, where necessary, to the Dutch Data Protection Authority and/or the data subject(s). If this information is not yet known, because the data breach is being investigated by Dataplace, for example, Dataplace will in any event provide you as soon as possible with the information which you need to make a provisional notification yourself to the Dutch Data Protection Authority and/or inform the data subject(s) within the stipulated 72 hours. Dataplace will inform you in any event about the nature of the (potential) breach, and where possible will provide a description of the observed and probable consequences of the breach and the action to be taken by you to mitigate and remedy the adverse effects of the data breach.
Dataplace will keep you (your contact person) informed about the progress and the measures that are taken. Dataplace will always inform you of any change in the situation and in the event further information becomes available.
In the event you, as our customer, make a (provisional) notification to the Dutch Data Protection Authority and/or the data subject(s) regarding a data breach at Dataplace, although it is quite clear to you that there is no data breach at Dataplace, you shall be liable for any and all loss and/or damage as well as costs sustained by Dataplace. You shall additionally be obliged immediately to withdraw such notification.
IaaS / Cloud services at Dataplace
With regard to IaaS / Cloud services, the applicable privacy laws and regulations require that additional agreements are made between Dataplace and the customer with regard to personal data. These agreements are laid down in a separate processing agreement that is concluded between Dataplace and its customers.
Dataplace as independent controller
Dataplace respects your privacy and ensures that all the personal data you give us, or which we collect about you, are treated as confidential.
You provide personal data yourself to Dataplace when you contact us by telephone or email, when you enter personal data about yourself via the customer contact portal and when you visit one of our datacenters. Dataplace also collects personal data about you when you visit our website, when your employer or client requests that you be enabled to access a datacenter and when you visit a datacenter. Dataplace only processes the personal data that are necessary to enter into and perform the agreement with you. Where it is required to do so by law, Dataplace will also provide personal data to competent authorities. And where Dataplace wishes to distribute newsletters to you or processes personal data via tracking cookies, we will first request your specific consent to do so.
Types of personal data
Dataplace keeps the volume of personal data of and about our customers that it collects to a minimum. Dataplace mainly collects contact and payment details. Dataplace does not collect any special categories of personal data of customers, as referred to in Article 9 and Article 10 of the GDPR, with the exception of your fingerprint (biometric data).
The data required to obtain (temporary) access to the Datacenter are:
- Your full name
- Your date of birth
- Your mobile phone number
- Your email address
- The number of your identity document
- A copy of your identity document
- The expiry date of your identity document
- Your fingerprint (not applicable in case of escorted access)
After authentication, the scan of your identity document will be deleted. Other information is stored in our systems in encrypted form. Dataplace uses your fingerprint as an additional means of authentication, to prevent unauthorised access. The fingerprint is saved on your access badge and stored in the access system in hashed form during your visit to the Datacenter. After leaving the Datacenter, your fingerprint is deleted from the system.. One month after your visit, your identity document number and its expiry date are erased. After 12 months, your name and date of birth also are erased from our systems.
If you have become a customer, you can enter data of your employees and suppliers via our customer portal to grant them access to the datacenter. The data required to obtain access to the Datacenter are the same as those listed above.
Dataplace has ensured that the systems cannot request or store the BSN (citizen service number).
In summary, Dataplace processes the personal data referred to above for the following four purposes:
- To enable authorised representatives of our customers to access their server equipment in one of our datacenters
- To perform the services contractually agreed with you
- To prepare and send invoices
- To distribute by email service communications (not direct marketing)
The main basis for most processing of personal data is the need to conclude and perform the agreement. This also applies to the distribution by email of service communications. Dataplace will only provide personal data in response to a request by authorities such as the Netherlands Authority for the Financial Markets, the European Central bank or De Nederlandsche Bank N.V. where it is legally obliged to do so. They may require personal data for the performance of their tasks pursuant to the Dutch Financial Supervision Act (Wft). It is also possible that Dataplace is ordered to terminate the provision of its services by law enforcement or investigating authorities. In these cases, Dataplace processes personal data on the basis of mandatory compliance with a statutory obligation. Where Dataplace is jointly responsible with other organisations for the processing of personal data by allowing tracking cookies to be installed and read, Dataplace will first request your specific consent jointly on behalf of those other organisations.
Personnel and processors
As explained in the first section of this privacy statement, Dataplace considers it important that all its employees treat the personal data of its customers with due care. For this reason, Dataplace has all its (permanent and temporary) employees sign a separate non-disclosure agreement, for example.
Dataplace has also entered into data processing agreements with suppliers who process customers' personal data on our behalf, e.g. for the purpose of invoicing, access control, office IT systems and software development on the customer portal.
Dataplace does not process any personal data of our customers outside the EU.
Security and responding to data breachs
Dataplace will, in case of doubt, always notify data breachs in its own systems and the systems of its processors and suppliers to the Dutch Data Protection Authority as well as the data subjects concerned. Dataplace relies on the GDPR and the guidelines of the European supervisory authorities concerning data breachs to determine whether a data breach has occurred. A data breach covers all security incidents causing the protection of personal data to be breached or compromised at a given moment or resulting in the personal data being exposed to loss or unlawful processing.
Dataplace will notify potential data breachs within 72 hours to the Dutch Data Protection Authority. Dataplace will ensure that its employees are able to identify a data breach. Dataplace expects its processors and contractors to enable Dataplace to meet this commitment. For the sake of clarity: Dataplace will naturally also notify you, as our customer, of any data breach that occurs at a supplier of Dataplace. Dataplace is the point of contact for the customer. The customer therefore does not need to contact Dataplace’s suppliers or processors.
Your rights based on the processing of personal data
The General Data Protection Regulation (GDPR) gives you certain rights to protect your interests where your personal data are processed, as follows:
- The right to data portability. The right to transmit personal data.
- The right to be forgotten.
- The right of access. This is the right of people to access the (your) personal data which are being processed.
- The right to rectification and supplement. The right to rectify the personal data you process.
- The right to restriction of processing: The right to temporarily stop the processing of the personal data.
- The right with respect to automated decision-making and profiling. Or: the right to human involvement in decision-making.
- The right to object to data processing.
How to contact us
If you would like more information, or if you have a complaint about how your personal data are used and/or treated, please contact Dataplace's quality manager. It is also possible to file a complaint with the Dutch Data Protection Authority (DPA). For further details: https://autoriteitpersoonsgegevens.nl/